As you probably know, in a domain environment there is a domain controller that is special compared to the others. This domain controller, besides other functions also keeps the time in sync in the entire domain/forest; meaning all the workstations, servers, and the rest of the domain controllers will sync their time with this one. For short, this domain controller becomes a reliable time source for all the machines in the domain. If you are thinking about the PDC Emulator, that’s the one, the one that handles time.
Now the thing is that this domain controller also needs to synchronize it’s clock, but this time with an external source or NTP server. An external source can be either a time server out on the internet or a hardware appliance if it’s a highly secure environment and outside communication is restricted. You can use the command lines in this article to configure both options since the only difference is the time server address. In case you have multiple domains, configure the PDC Emulator for the domain at the root of the forest.
Right now if we do a domain controller diagnostic (dcdiag /v), we will see a message that there is no reliable time source configured on the PDC.
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
Also, if we open Event Viewer we will have an event ID 12 with the same message as above.
Right now, the PDC gets it’s time from the local CMOS clock. We can see this if we issue the bellow command which queries the system time and gives us some useful information.
w32tm /query /status
To configure the PDC Emulator with an external NTP server or hardware appliance for that matter, just use the bellow command line and execute it. Off course, you will need to replace the NTP servers with the ones that exist in your region or if you are using a hardware appliance with it’s FQDN or IP address. You can search the public NTP servers for you region on the ntp.org web site.
Before running the command line, PING the public NTP servers in your region to make sure they are alive. This way you reduce time-outs and a lot of warnings in the PDC Emulator Event Viewer.
Also, port 123 on UDP needs to be opened in your firewall between the PDC Emulator and the NTP server.
w32tm.exe /config /manualpeerlist:"0.ro.pool.ntp.org 1.ro.pool.ntp.org 2.ro.pool.ntp.org" /syncfromflags:manual /reliable:YES /update
As a last step, restart the PDC Emulator time service.
net stop w32time && net start w32time
Now if we query the system time status we can see that it’s updating using an external time source and not using the CMOS clock anymore, which is good, it means our configuration worked.
Yes, we can do this using Group Policy also, and this way, every time we move the PDC Emulator role to another domain controller it will be automatically set up as a reliable time source for the domain.
On the root forest/domain PDC Emulator open the Group Policy Management console. Right-click the Domain Controllers container and choose Create a GPO in this domain, and Link it here.
Name the GPO based on you company naming convention then right-click it and choose Edit.
Once the Group Policy Management Editor console opens, drill down to Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers.
From the right hand side open the Configure Windows NTP Client policy setting, enable it, then move down to the Options section. In the NtpServer box type your public NTP servers followed by the 0x9 flag or the IP/FQDN of you hardware appliance. From the Type drop-down box select NTP then click OK to save the changes.
There are multiple flags that can be set up for a time server and there is a great Technet article that describes every one of them. Basically if we put the 0x9 flag, it designates the NTP Server as being the primary.
0.ro.pool.ntp.org,0x9 1.ro.pool.ntp.org,0x9 2.ro.pool.ntp.org,0x9
Still in the Time Providers folder, open the Enable Windows NTP client policy setting and enable it. Click OK then close the Group Policy Management Editor console.
Now if we leave the policy like this it will apply to all the domain controllers in the environment which is not good. In order to make the policy apply just to the PDC Emulator we need to create a WMI filter and link it to the GPO we just created.
In the Group Policy Management console, right-click the WMI Filters folder and choose New.
Name the WMI Filter then click the Add button. A new window will open, and in the Query box of this new window type the following:
Select * from Win32_ComputerSystem where DomainRole = 5
Now go back to the GPO and link the WMI Filter to it. Answer Yes on the message that pops-up.
After the GPO applies we can see that time is now syncing from an external source.
And what about the clients? you might ask. Not need to worry about them, because they know they need to sync their time from the PDC once they are joined to the domain. You can check it out by using the w32tm /query /status command line.
Other useful commands
The commands used until now are enough to help you configure an NTP server for the domain, for most of the time; but there are situations when you need to troubleshoot or get more information from the time service.
For example, if you want to force synchronizing the time and not wait for re-synchronization you can use the bellow command:
w32tm /resync /nowait
Check the NTP configuration:
w32tm /query /configuration w32tm /query /source
Reset the configuration to default in case something went wrong:
net stop w32time w32tm /unregister w32tm /register net start w32time
Setting up an NTP server for the domain is not a must, your domain will work just fine without it, but it is recommended. As you can see it’s not a difficult operation and at least it will help you get rid of the diagnostic messages from Event Viewer. If you are wondering which one to use between the two, I will always go with the command line option. I don’t know, I like it better.
Want content like this delivered right to your